My case is: All API KEY under an organization with same api access rights Wanna create a new API KEY which inherit ALL access rights of its organization dynamically, so that no need to duplicate access_rights on every api key creation. Any hints ?

Any concern if I define API without org_id ? Doc said it is recommended

Yes, we strongly recommend that org_id's are set on APIs, policies and keys, org ID's basically group ownership of these obejcts, leaving them out could cause things to stop working (we've seen this with policies), not recommended

Angus_Tse:

Any concern if I define Policies without org_id ? Doc said it is recommended

Tyk hashes keys, unless you have this switched off, listing keys will not work (by design). Also, the api_id param is not a filter, it is merely a specifier to identify the back-end to use (search the forum, this has been asked many times).

Angus_Tse:

Any API to list all Keys of an given Organisation

Yes, if you make the list keys GET request to the advanced API on an unhashed installation with a user that belongs to the org

Angus_Tse:

Any API to list all Keys of using an given Policy

No.

Orgs:

Lastly, orgs are there to organise API / Resource ownership domains, not clients, so you can have one org, owning Evernote and LinkedIn APIs and supply keys for both. Then use policies to determine paid or free access to either.

You would only use multiple orgs if you actually want to segregate APIs, keys and ownership from one another, i.e. you have multiple tenants. And ultimately, this only matters in the dashboard, not in the gateway, as the dash/advanced API is the only thing that really cares and filters based on these criteria, and those filters only work if org_ids are used.